SGC Statement

By Digi-Sign

Created Sep 3 2004 - 16:28

03 September, 2004

Server Gated Cryptography Myths

Frequently, we are questioned about Server Gated Cryptography [SGC] and why VeriSign® is offering this 'valuable' function with its SSL certificates (although more companies have 'jumped on the bandwagon' lately).

Statements like:

VeriSign is the only major CA that offers a certificate that will always encrypt at 128-bit encryption and/or that Digi-Sign's certificates are dependent upon 2 things to ensure a 128-bit session:

1. the browser must be recent enough to handle 128-bit encryption

and

2. all Windows 2000 machines must have been shipped with or have downloaded Microsoft's Service Pack 2

These statements are designed to confuse and are misleading

To clarify this, the following formal statement has been prepared:

The first confirmation I would like to make is that our Digi-SSL™ Certificates are true so called 128-bit certificates, which you may simply confirm by connecting to any of our secure sites, i.e.: https://www.digi-sign.com[1]

Before we can make any comments on VeriSign statements to the contrary, allow me to give you some background on the Server Gated Cryptography terminology, that VeriSign refers too.

Server Gated Cryptography (implemented by Microsoft), or other name for it would be: International Step-Up (implemented by Netscape) is (was) nothing more than a workaround for an out of date US Government Policy from 1995. This policy was stated that for national security and safety reasons, a maximum of 40-bit level encryption only can be used with home and corporate hardware and software for non-US customers.

Although almost all versions of Microsoft Internet Explorer and Netscape Navigator/Communicator were technically capable of supporting 128-bit encryption, the US Government, by releasing this policy, forced two major US development companies: Microsoft and Netscape (and actually all US development companies) to disable this facility and restrict the connections from outside US to maximum encryption level of 40-bit.

At that time, banking online and internet access to financial resources started to become more and more common in many countries, not only in US, which led the major international banks to a conclusion: secure access to their banks and financial resources actually requires more than just a 40-bit level encryption.

To meet their expectations and at the same time not to violate the US Government Policy, Microsoft and Netscape in combination with VeriSign (and other PKI vendors) introduced something, which is now so called Server Gated Cryptography or International Step-Up.

As per the US Government restriction, 128-bit SSL certificates supporting the Server Gated Cryptography could only be issued to trusted organisations and outside US, this meant only to banks or financial institutions. Before the Certification Authority (such as VeriSign), could issue such a certificate to a non-US company, it had to further validate the customer to establish if it is a banking company or a financial institution.

Therefore, initially, not every company in the world, or even in the US could get a Server Gated Cryptography enabled SSL certificate to fully support 128-bit encryption.

The way the Server Gated Cryptography works is very simple:

Certification Authority (such as VeriSign) adds two extensions to their certificate key usage:

and issues a Server Gated Cryptography enabled certificate to a validated company

Once you connect via SSL to a server that has a Server Gated Cryptography (enabled) certificate installed, the initial browser connection is always done using 40-bit level encryption.

During the 'handshake', the browser downloads the server certificate and checks if it was issued by a Trusted Certification Authority

Once the browser is happy, that the server certificate is trusted, it checks if the certificate has the Server Gated Cryptography extension

If it does, then the browser immediately renegotiates the session values, by re-establishing the connection with the server using 128-bit encryption

This is the whole 'trick' behind the Server Gated Cryptography.

Before the US Government removed the encryption level restriction policy, many European companies developed workaround tools and so called patches for this problem to allow their browsers to work with full 128-bit encryption.

On January 15, 2000 the US Government relaxed export restrictions on the worldwide shipment of strong encryption (defined as 128-bit support). Once this happened, Microsoft and Netscape released so called 'encryption upgrades' that did nothing more than remove the 40-bit encryption restriction from their systems.

Today, the current standard encryption level for all home and corporate software/hardware is 128-bit, therefore each user supporting 128-bit encryption may connect to a site secured with our Digi-SSL™ certificate using a 128-bit session.

Digi-Sign sees no need in the current market that would lead us to enable the Server Gated Cryptography extension in our certificates. The percentage of users using old IE 5.0, or Netscape 4.x browsers with 40-bit capabilities is so small, that it is currently less than 1%. In addition to this, Microsoft no longer supports products such as Windows 95, IE 4.0, IE 5.0 and in the same way Netscape is not supporting their Communicator 4.x software.

The ongoing development of new products, browsers versions, plug-ins, additions etc. is currently forcing the outstanding percentage of users to update their browsers, which will automatically enable their browsers/systems with 128-bit encryption level.

Digi-Sign certificates are not dependent on any end user specification. At the moment, it is basically the end user's browser that decides what encryption level to choose

statements like 'a browser needs to be recent enough to support the 128-bit encryption' are misleading. Microsoft IE 5.5 and Netscape from 4.7 support the 128-bit encryption by default. They are now 4 years old too!

It is true, that a Windows 2000 machine need an encryption pack update or service pack 2 to support 128-bit encryption. The first releases of Windows 2000 were capable of only 40-bit encryption (due to US restriction). Once the restriction was removed by the US Government, in January 2000, Microsoft supplied an encryption update pack to enable this system to support 128-bit encryption and finally service pack 2 was released that contained the encryption update pack. Again this is more than 4 years ago!

Later releases of Windows 2000 system were enabled with 128-bit encryption by default. Market research confirms that almost none of the users accessing the Internet at the moment, have a Windows 2000 based systems with a service pack lower than 2. In short, they support 128-bit encryption.

I hope I provided enough information to support our position and that I have convinced you that 40-bit encryption is just a restriction in the browser. Server Gated Cryptography is just a workaround for it, which is not needed any more, and that the current browser and OS system usage market research clearly shows that almost all of internet users, use 128-bit compatible browsers/systems. By default!